Posts Tagged keychain
I discovered something this Sunday morning that will make my day, week and month
If you don’t know much about
ssh-agent or if you’re looking for a tutorial about using ssh public key authentication or
ssh-agent, read one of the excellent articles linked from here before to continue here.
On OSX, Apple made it much easier to manage your SSH keys and to work with SSH, by adding two welcome improvements
The first improvement alleviate user’s need to manually start
ssh-agent for every session.
launchd(8) will also makes sure
ssh-agent is automatically restarted in case of crash.
Launchd configuration file is here:
hostname:~ user$ cat /System//Library/LaunchAgents/org.openbsd.ssh-agent.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.openbsd.ssh-agent</string> <key>ProgramArguments</key> <array> <string>/usr/bin/ssh-agent</string> <string>-l</string> </array> <key>ServiceIPC</key> <true/> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SecureSocketWithKey</key> <string>SSH_AUTH_SOCK</string> </dict> </dict> <key>EnableTransactions</key> <true/> </dict> </plist>
But the best part is the second improvement : instead of storing your keys in
.pem files in your
~/.ssh directory, you can tell
ssh-agent to store your keys in the more secured KeyChain trusted store, as show on the picture below.
Apple silently added a
-K option to
ssh-add command to instruct
ssh-add to store your SSH key in KeyChain in addition to loading the key in memory.
ssh-agent will search for keys in their usual location on disk but also in Keychain.
What are the benefits of this?
There is no more need to explicitly call
ssh-add when your session start, like you used to do in your
LaunchD will load
ssh-agent and will instruct it to load keys referenced in your KeyChain. Note that the
.pem file is not stored into KeyChain, you can not delete these from your file system.
Finally, because Keychain might synchronise across your machines through iCloud, your keys’ password are now available automatically on all your machines (provided you’re willing to keep a copy of your keys in iCloud – but that’s a different story)